Since this tutorial was written, the install process has evolved, and code has been written to automate the process.- One repository for such code is here.

Warning -- The procedure outlined in this document is for installing a clean version of Linux Mint Debian Edition using the entire hard drive. It will overwrite any and all data. Please be sure to backup important data to external media before proceeding.

Introduction

Several guides are available for installing Linux Mint Debian Edition on an encrypted LVM file system. This guide will explain how to install LMDE using nothing but a single install medium (LiveCD, LiveDVD, or LiveUSB) and a network connection. It is expected that those following this guide are comfortable entering commands in a terminal.

Overview

This example uses a computer with 2GB of RAM and a 50GB hard drive corresponding to /dev/sda. The hard drive will have two primary partitions: a 200MB boot partition (/boot) and an LVM partition that fills the remainder of the drive. The LVM partition may optionally be encrypted. The procedure varies slightly for encryption, so be sure to watch for those deviations.

First, you will boot the computer using the Linux Mint Debian Edition Live DVD and install some required tools. Next, you will partition the drive, with optional encryption, and create and partition the volumes. Then you will mount the volumes and extract the Live DVD image into them. Finally, you will chroot into the environment and fixup the system for first boot.

Preparation

Begin by backing up all your important data. This process will destroy everything on the disk.

Once you are sure all your data is safe, put the LMDE DVD in the computer and boot the LMDE live image. Open a terminal from the menu. You need superuser privileges for everything, so make life easier by getting a root shell.

Again, my hard drive device is /dev/sda. But yours may be /dev/hda or something else. It is up to you to be sure you are using the appropriate drive. Delete your existing partitions. In gparted, I just create a new msdos partition table (in the Device menu) which will remove existing partitions. Create a new 200MB ext2 primary partition at the start of the disk. Then create an unformatted partition using the remainder of the disk. In my example, the two partition devices are /dev/sda1 and /dev/sda2. If your devices differ, be sure to use your devices in the commands below. Be sure to save your changes.

Now you must make a decision: to encrypt or not to encrypt. Code blocks that differ based on this decision are labeled. If you choose to encrypt, it is considered best practice to first fill the partition with randomness to defeat certain key recovery techniques. This step can take quite a long time. Please be patient. It is also your responsibility to research what encryption algorithms and key sizes are right for you. The following commands just use the defaults. Also, it is a good idea to remember your password.

I named my volume group volumes. Feel free to change it. You should also choose sizes that fit your needs. If you plan to suspend to RAM, you need a swap volume that is at least as large as the amount of RAM in your system. The -n option gives the volume name and the -L option the volume size. Use man lvcreate for more information.

Now you need to update /mnt/etc/fstab so the new system will know where to mount the volumes. Open fstab with your favorite editor (gedit, vi, nano, etc.) and replace the entries with something like the following.

Because the mint user was removed, GDM automatic login will be broken. Unless you want to see a blank screen with only the busy spinner when you boot, be sure to complete this step. Open /etc/gdm3/daemon.conf with vi or nano and replace

AutomaticLoginEnable=true

with

AutomaticLoginEnable=false

.

Cleanup and Restart

Theoretically, you should be able to reboot at this point, but it is a good idea to back out some first.

You can now safely reboot. Be sure to eject the DVD when prompted. If you chose to encrypt, you should be prompted for a password. Otherwise, you should get the familiar GDM login screen. Enter your username and password from above and you should be logged in.

I hope this helped. I'll try to watch this post for questions. Good luck!

Last edited by Pierre on Mon Dec 22, 2014 10:25 am, edited 2 times in total.
Reason:updated pre-amble at beginning of Tutorial.

I'm running Mint 10 right now, dual-booting with Windows 7. My Windows partition is encrypted, and my Mint /home directory is as well. I would like to switch from Mint 10 to Mint Debian, but I must encrypt at least the /home directory, and I need to preserve the Windows partition for work reasons. I'm comfortable in the command line, but have been known to bork systems in the past. Can you recommend a way (or a modification to your tutorial) to install LMDE with either an encrypted partition or encrypted /home, dual-booting with Windows?

Thanks for the positive feedback kwatson512. I've used both the encrypted and unencrypted methods at work. I posted this howto both as a reminder to myself (because I forgot some things the last time ) and to help others out.

If you want to keep the setup you have but with Mint Debian instead of Mint 10, your work is half over (maybe more). Just boot into the LMDE Live DVD, skip the partition setup, and go straight to Volume Population. Okay... maybe not straight; you'll need to take a slight detour.

But it is hard to come up with that detour without more information. Can you post your /etc/fstab and /etc/crypttab and the output of 'sudo sfdisk -l' and 'sudo lvdisplay' (if you are using LVM).

I think it will be a matter of formatting (or just erasing) your old root partition and mounting your file systems in /mnt just as they are under Mint 10. Then unquash the LMDE image into /mnt, install any required packages, and use your old /etc/fstab and /etc/cryptab files in the new system.

I would recommend that you backup everything important before doing anything. And it would be a good idea to try things in a virtual machine first. That's what I did when writing this guide. I used VirtualBox to verify the procedure.

Anyway, if you post that additional information, I'll get back to you with more specifics.

I don't have a crypttab file. I have an encrypted /home directory, not the entire partition. And that's really all I need. So my /home directory includes a .Private directory, where all my data resides. If I lose my laptop, I don't care if people get access to the Mint filesystem - after all, it's a free open-source operating system. What I want to protect is my personal and work data.

Mint 10 is based on Ubuntu 10.10 and uses ecryptfs for encrypting /home. It looks like Debian testing and Ubuntu 10.10 both have ecryptfs-utils version 83 in the repositories. I'm not sure what else would be required to get /home encryption working flawlessly. I would try playing with a clean install of LMDE in a VM and see if you can replicate what is required if that is the way you want to go. Do some searching for ecryptfs encrypted home on Debian. And be sure to encrypt the swap partition as well.

You can use LUKS to encrypt /home as well and probably do something similar to Ubuntu to automatically mount the encrypted volume. It could even be a special file you create with dd. I think that is the way I would go. I may even look into this soon as full disk encryption is taxing my work laptop.

I'm afraid I can't be of more help. What you are after is a bit more advanced and something I have never done or looked into before. But I bet someone else has and created a thorough tutorial. Be sure to post a link back here when you figure it out.

I admit I'm new to linux. I tried following the instructions for installing with encryption but got hung up on this linedd if=/dev/urandom of=/dev/sda2 bs=1M & sleep 5; while kill -USR1 "$!"; do sleep 60; doneIt didn't like the exclamation mark, am I doing something wrong?? I copied and pasted as is.

I would like to reinstall LMDE into my PC with encryption and your howto looks great.But I have two questions:1- Do I really need to fill the partition with randomness? You said it takes long time to do this (many hours...)? -When I install Ubuntu and I choose to encrypt my home, it doesn't take hours to achieve this.

2- Is there a way to bypass the passphrase when I reboot my machine? Something like Ubuntu? I don't want to type a passphrase then my password to login into my account each time I reboot...(well, maybe I'm too lazy).

By the way, this command starts dd in the background and sends it the USR1 signal every minute until dd is done, causing dd to print its progress.

@panzer

It is important to fill the encrypted partition with pseudo-random data before use to defeat crypanalysis (or at least make it much harder). LUKS uses block-level encryption. I am assuming LUKS must encrypt the entire block without caring about what is actually on it. Filling the disk with randomness reduces the chance of an attacker guessing what the block contains. /dev/urandom is terribly slow (probably an overnight event). There may be other utilities that would work faster, but I would not recommend skipping this step.

Ubuntu uses ecryptfs to encrypt the home directory, which uses PAM to get your login credentials to unlock your encryption key allowing you to only type your password once. With LUKS full-disk encryption, you are asked your password before the real root file system is mounted and before the system is ready for you to log in. So, there isn't a way (that I know of) around entering two passwords. But don't worry, it doesn't take long to get used to it.

panzer wrote:2- Is there a way to bypass the passphrase when I reboot my machine? Something like Ubuntu? I don't want to type a passphrase then my password to login into my account each time I reboot...(well, maybe I'm too lazy).

Just edit the /etc/gdm3/daemon.conf and set AutomaticLoginEnable=true BUT it is also important to set AutomaticLogin=newuserwhere newuser is your new user you created following the HowTo..

A quick search in the Mint forums on encrypting the home directory with ecryptfs didn't return anything useful. A Google search returned several results that should be helpful. I may do this on a laptop soon. I'll post something if I figure it out. Post back here if you find anything useful. Thanks.

Brilliant HowTo ... I'd like to ask an 'overview' question concerning your use of LMDE's contained squashfs. I had thought that, as the live version assembles itself while starting up, that it configured itself to the machine it was running on ; that is, drivers selected, config(s) done, etc. So, not clear about this, if you use the vanilla, 'base' version of LMDE contained in the squashfs, that seems that it would not include config for the specific (current) machine - no ? I had thought that the reason for doing an 'intermediary install' as in the previous writeup for an encrypted, lvm2 LMDE installation was to include all/any local configuration - whereas your proposed method would seem to bypass such config.

Just asking, this is not a critique (it's an area of my ignorance, how could it be ?), I'm interested in clarifying this point. Am I missing something simple and obvious ?

This howto does skip some of the configuration that an installer would normally perform. It only does enough to get you up and running with LVM and encryption (optional) on the new system, which is something the current installer does not support. As far as I know, the setup steps I've skipped are configuring the keyboard, advanced network setup (with host name), and adding additional packages. I will claim ignorance if I've missed anything else as I haven't used the LMDE installer. I'm new to LMDE and based this howto on my experience with creating custom Ubuntu live CDs. Configuring the missed items is really simple and can mostly be done from the Control Panel. The hostname can be set by editing /etc/hostname.

I will not claim that I haven't missed something, but I believe all the basics are covered. If more experienced Debian/LMDE users would like to chime in, it would provide a more complete solution.

You could also try comparing the results of the installer to this method. Or even better, have a look at the installer code/scripts. I believe, however, that following this howto will get you a working system that is very close to one installed via the normal method.

Thanks for the post back. Enjoy LMDE. I know I am after Ubuntu turned down a path I don't agree with.

Thanks for the response. I agree entirely with your feelings about Ubuntu and am also turning to LMDE, although for somewhat more pragmatic reasons. I've been grounded in a Debian system for the past 10 years or so, am entirely happy with it and have have acquired reasonable admin skills for its care & feeding. I've done lots of installations for friends, usually Ubuntu, until now having considered it 'beginner friendly' enough. In total it's been about ~100 installs. (My bit as a Linux 'Johnny Appleseed'.) Progressively, though, it's become a major time sink for me, fixing the endless cavalcade of bugs that Ubu has released and, worse, the bugs have caused enough people to give up on their shiny new Linux installs ... Unacceptable - and it seems as though it will continue to get worse.

So, back to technical issues : you are entirely correct about the surface config issues - language, keyboard, timezone, locale, etc. Those are easily enough taken care of on first login. What I was wondering, though, and this is where my blind spot is, is when the 'live' instance first comes up and does the underlying config for the system. That is, both the live system and your neat way of doing this, at some point shortly after unpacking 'filesystem.squashfs' must take a look at the current hardware and do basic config - kernel modules, creation of an /etc/fstab file, running udev, that kind of thing - on that level. The major subsystems should take care of themselves - X, these days will autoconfigure, as will HAL, if there, and udev but where does, e.g. alsa detection and configuration come in ? As said, this is a blind spot - obviously *every* live system does this *each* time it comes up but I'm wondering whether that is part of the live-* stuff and not part of the underlying system.

panzer wrote:2- Is there a way to bypass the passphrase when I reboot my machine? Something like Ubuntu? I don't want to type a passphrase then my password to login into my account each time I reboot...(well, maybe I'm too lazy).

Just edit the /etc/gdm3/daemon.conf and set AutomaticLoginEnable=true BUT it is also important to set AutomaticLogin=newuserwhere newuser is your new user you created following the HowTo..

Assuming you use the Gnome keyring, then I've found that it's also useful to delete those files (the ~/.gnome2/keyrings folder) and then when asked for a new keyring password (probably when you connect to wifi) enter a blank password. That keeps the keyring from popping up and bugging you after an automatic login. Since everything in your home directory or partition is encrypted anyway, this isn't a risky thing to do.

I just install to an encrypted partition the easy way (I use either a Debian or Crunchbang installer, which have encryption options, and then I add the Mint repos to sources.lst and do a dist-upgrade), but maybe I'll try it this way the next time.

I understand your concerns. There really isn't much difference between Debian-based live CDs and a freshly installed system. A lot of things that used to need to be configured by hand are now auto detected/configured. That said, your concern prompted me to look at the installer package to see what differences there really are between my method and the official installer. You can look yourself by downloading the live-installer source package (enable source packages in the update manager, and do `apt-get source live-installer` in a terminal on the Live CD or an LMDE install). The steps below were taken from live-installer-2010.12.16.1/usr/lib/live-installer/installer.py, which is the file containing the model for the LMDE GTK-based installer, and are the steps the official installer performs to prepare a new system. Steps that are also in this howto are marked marked with a `y` while those I left for the user are left blank.

I've used the method in this howto to install LMDE on two laptops, a desktop, and multiple virtual machines. The laptops and desktop were all Dells, but each has vastly different hardware. All of these systems work great.

Now that I've looked at the installer, it looks like a trivial task to throw together a simple python script that could read a config file and invoke the installer script with the appropriate options. If only I had more free time!

Anyway, great questions ccgg. I don't think you have anything to worry about.

Thanks for the clarification(s). I never doubted that you tested the procedure well but you've provided the conceptual 'missing link'. I, as well, were it not for time, would be interested in 'completing that circle' but I can't really believe, beyond the immediate future, that the Mint devs won't simply adapt the Debian installer. It's endlessly brandable and configurable and would eliminate the need for clever, elegant and nifty efforts - like your own. I suppose that it was time & resource constraints that led to the writing of the current LMDE installer, but I can't believe that canny and capable devs, like the people here, won't simply leverage and take advantage of the greater capabilities of the Debian installer.

In the event, thanks again ! I will use your recipe - or a slight variant, for my installations - until an improved installer appears.

At least I got a problem with updating with the update manager and got the LMDE updates message "Fix Broken Packages". I am familiar with this on everz nwe installation of Version 9. The Solution:sudo apt-get update && sudo apt-get upgrade && sudo apt-get dist-upgrade

That will need much time and some user interactions!

I ask myself and the experts if it is not posible to avoid this annoying bug in change the line apt-get purge 'live-*'apt-get update